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Abstract 

The definitional equality of an intensional type theory is its test 
of type compatibility. Today's systems rely on ordinary evaluation 
semantics to compare expressions in types, frustrating users with 
type errors arising when evaluation fails to identify two 'obviously' 
equal terms. If only the machine could decide a richer theory! We 
propose a way to decide theories which supplement evaluation with 
V-rules', rearranging the neutral parts of normal forms, and report 
a successful initial experiment. 

We study a simple A-calculus with primitive fold, map and ap- 
pend operations on lists and develop in Agda a sound and complete 
decision procedure for an equational theory enriched with monoid, 
functor and fusion laws. 

Keywords Normalization by evaluation, Logical relations. Simply- 
typed lambda calculus. Map fusion 

1. Introduction 

The programmer working in intensional type theory is no stranger 
to 'obviously true' equations she wishes held definitionally for her 
program to typecheck without having to chase down ill-typed terms 
and brutally coerce them. In this article, we present one way to relax 
definitional equality, thus accomodating some of her longings. 

The first set of equalities (table [T) one expects is introduced 
by the equations the programmer writes to define functions; they 
correspond to 5 (for definitions) and t (for pattern-matching on 
inductive data) rules and hold computationally just like the more 
common /? rule. Definitional equality extends these rules to open 
terms and identifies expressions up to computation. 

The second batch (table|2l( explains that some types have unique 
constructors which the programmer can demand. These are usually 
called ri rules and articulate some degree of extensionality . They 
are well supported in e.g. Epigram [13"] and Agda [29.1 both for 
functions and records but still lacking for records in Coq lEBIl . 

The free variables of open terms obstruct those computation 
rules which require constructors, hence those rules thus determine a 
kit for building computationally inert neutral teiTns, growing layers 
of thwarted progress around a variable which we dub the 'nut' . 
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r 7r2 r n ++ ys map f F fold n c F 



map : (a — > b) ^ list a — > list b 

map f [] H^ [] 

map f (x : : xs) ^^ f x : : map f xs 

(++) : list a — > list a -^ list a 

[] ++ ys H^ ys 

X : : xs ++ ys H-> X : : (xs ++ ys) 

fold : (a ^ b ^ b) ^ b ^ list a ^ t 

fold c n [] 1-^ n 

fold en (x : : xs) i-^ c x (fold c n xs) 

Table 1. Sl rules - computational 



f = Ax.fx :a^b 

p = (tti p , 7r2 p) : a * b 
u = : 1 

Table 2. 77 rules - canonicity 

Our new 'u rules' (table [S} concern just such neutral terms, with 
the same nut obstructing both sides. Each can be proven just by 
structural induction on the nut, cracking it into constructor cases 
which compute by pSi to subgoals which follow by inductive 
hypothesis — the classic proof pattern of Boyer and Moore 1,1211 . 
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Table 3. u rules 

Here, we give a decision procedure for /3(5tr7z/-equality with an 
Agda proof that it is sound and completqj. We gain, for example, 
that map swap . map swap = id, where swap swaps the ele- 
ments of a pair. Implementing z/-rules separately from evaluation 
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and only for neutral terms makes them none the less admissible in 
general. This promising experiment suggests that other frustrating 
equations of a similar character may soon come within our grasp. 



2. Our Experimental Setting 

Our ambition is to provide a generic method of extending the defi- 
nitional equality of intensional type theories with //-rules, but here 
we deliver evidence of progress in a simpler setting which is easier 
to formalize: simply typed A-calculus with products and list primi- 
tives. We developed the algorithm during Boutillier's internship at 
Strathclyde 1 11]; Allais completed the formalized metatheory. 

Types are parametrized by a natural number n and can refer to a 
finite set of base types using the b constructor and an index k in 
Fin n, the datatype with exactly n inhabitants. These unanalysed 
base types give us a simple way to model expressions exhibiting 
some parametric polymorphism. 

o", r, . . . ::= 'b fc | '1 ] cr 'x r | o" '^ r | 'list a 

Terms follow the grammar presented below and the typing rules 
described in the figure page |3] where contexts are just snoc lists of 
variable names together with their type. 

t,u, . . . ::= X \ 'Xx.t \ f$u \ '(} \ t \ u \ 'TVit \ '-iT2t \ "[] 

I hd ':: tl \ 'ma.-p{f,xs) \ xs '+f ys \ 'fold{c,n,xs) 



For the sake of clarity in formalization, we quote the construc- 
tors of our object language, making a clear distinction from the 
corresponding features of the host language, Agda, where we use 
the standard 'typed de Bruijn index' representation of well typed 
terms |6, 19] to eliminate junk from consideration. In our treat- 
ment here, we always assume freshness of the variables introduced 
by lambdas and we do not artificially separate terms and typing 
derivations. 

The notion of context inclusion is defined inductively and gives 
rise to a weakening operation essentially acting on variables. The 
usual results about the identity weakening, composition of weak- 
enings, etc. hold. 

The pointwise extension of the well-typed terms from types to 
contexts gives a notion of parallel substitution. 



A her 



T ifr= e 

AheT' X AhCTifF = V ■ a 



We write t[p] for the application of the parallel substitution 
p: A he r to the term t: V h cr yielding a term of type A h cr. 

The equational theory of the calculus, denoted =asn-iv , is quite 
naturally the congruence closure of the pSirji'-niles described ear- 
lier where reductions under A-abstraction are allowed. In this paper, 
we also mention the relation ^^rf,>, ,,„ where the rules presented ear- 
lier are all considered with a left to right orientation (except for the 
identity laws for the list functor and the list monoid) thus inducing 
a notion of reduction. The soundness theorem proves that not only 
is the term produced related to the source one but it is a reduct of 
it. 

One easy sanity check we recommend before starting to work 
on the metatheory was to give a shallow embedding of the calculus 
in a pre-existing sound type theory and to show that the reduction 
relation is compatible with the propositional equality in this the- 
ory. We used Agda extended with a postulate stating extensional 
equality for non-dependent functions in our formalization. Once 
the reader is satisfied that no silly mistakes were made in the equa- 
tional theory, she can start the implementation. 



3. Reduction machinery 

When looking in details at different accounts of normalization by 
evaluation |4, 10, 15, 16], the reader should be able to detect that 
there are two phases in the process: firstly the evaluation func- 
tion building elements of the model from well-typed terms per- 
forms /3(5t-reductions and does not reduce under A-abstractions ef- 
fectively building closures -using the A-abstractions of the host 
language- when encountering one. Secondly the quoting machin- 
ery extracting terms from the model performs 77-expansions where 
needed which will cause the closures to be reduced and new com- 
putations to be started. This two steps process was already more or 
less present in Berger and Schwichtenberg's original paper | IQj: 

Obviously each term in /3-normalform may be transformed 
into long /3-normalform by suitable ?7-expansions. There- 
fore each term r may be transformed into a unique long /3- 
normalform r* by /3-conversion and ry-expansions. 

Building on this ascertainment, we construct a three (rather than 
two) staged process successively performing /35l, rj and finally v 
reductions whilst always potentially calling back a procedure from 
a preceeding stage to reduce further non-normal terms appearing 
when e.g. going under lambdas during r;-expansion, distributing a 
map over an append, etc. 

3.1 The three stages of standardization 

The normalization and standardization process goes through three 
succesive stages whence the need to define three different subsets 
of terms of our calculus. They have to be understood simply as 
syntactic category restricting the shape of terms typed in the same 
way as the ones in the original languages except for the few extra 
constructors for which we explicitly detail what they mean. 

Remark It should be noted that the two last steps never reduce a 
term to a constructor-headed one for datatypes (lists in our setting). 
In particular, the last step only rearranges stuck terms to produce 
terms which are themselves stuck. In other words: if a (list in our 
case) term is convertible to a constructor headed term (be it either 
nil or cons), then it is reduced to it by the first step of the reduction. 

The first intermediate language we are going to encounter is 
composed of weak-head /35t-normal expressions i.e. we never re- 
duce under a lambda, this role being assigned to the ?7-expansion 
routine. Having A-closures as first-class values is one of the marks 
of this approach. 





Weak-head normal forms 


m ::= 


= X \ m'$w \ 'nirn \ 'tv-z m \ 'f old(u;i, 1(72, rn) 




'map(u;,m) | m '+f w 


w ::= 


= m ■X[p]x.t 1 ■■;/ 1 Wi ', W2 1 '[] 1 Wi ':: W2 


p::-- 


= £ \ p,X I-* w 



These values are computed using a simple off the shelf environ- 
ment machine which returns a constructor when facing one; stores 
the evaluation environment in a A-closure when evaluating a term 
starting with a A; and calls an helper function on the recursively 
evaluated subterms when uncovering an eliminator. These helper 
functions either return a neutral if the interesting subterm was stuck 
or perform the elimination which may start new computations (e.g. 
in the application case). 

Remark This reduction step is absolutely type-agnostic and could 
therefore be performed on terms devoid of any type information as 
in e.g. Coq where conversion is untyped. Keeping and propagating 
some types (e.g. the codomain of the funcion in a map) is nonethe- 
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pop! pr : T ■ (x : a) c A ■ (x 
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r ■ {x: a) ht : r 



r\-t : a- 



T h X : a r h 'A x.t : a '^ r 


r\-t'$u : T 




Th '0 :'l 


T\-t : G T^u : T rht:cr'XT 


r h t : cr 'X r 
r h 'not :t 






r h i ■, u : (T -x r T h 'Tri t : a 


r h '[] : 'list a 


T^hd : a T \- tl : 'list a 


r h / : a '^ r 


Th 


xs : 'list a 


T h hd ■:: tl : 'list a 


r h 'map(/, 


xs) : 


'list T 


r h c ■ a '^ T -^ T r\- 


n : T r h xs : 


list 


a 



r h 'f old(c, n, xs) : r 



Figure 1. Context inclusion and typing rules 



less needed to be able to infer back the type of the whole expression 
which is crucial in the following steps. 

Then an r;-expansion step kicks in and produces 77-long values in a 
type-directed way. It insists that the only neutrals worthy of being 
considered normal forms are the ones of the base type. It also carves 
out the subset of stuck lists in a separate syntactic category I thus 
preparing for the last step which will leave most of the rest of the 
language untouched. 

The ?7-expansion of product and function type actually calls 
back the subroutines for /3(5t-rules respectively in charge of com- 
puting the first and second projection of a pair and the application 
of a function to a term (here the variable newly introduced). This 
step is the only one requiring a name generator which allows us to 
avoid threading such an artifact along the whole reduction machin- 
ery. 





77-long values 




n 


:= X \ n'$v \ 'TTin \ 'TV'zn \ 'fold(wi, W2, 1) 




V 


:= n-t,k\l\ 'Xx.v 1 '<> 1 vi ', ■y2 | 'D 1 «i ': 


V2 


I 


:= n-iist <T 'map(ti,Z) Z '+f w 





Standard forms have a very specific shape due to the fact that we 
now completely internalize the i^-rules. The standard lists s are 
produced by flattening the stuck map / append trees present in I 
after the end of the previous procedure whilst the fold / map and 
fold / append fusion rules are applied in order to compute folds 
further and reach the point where a stuck fold is stuck on a real 
neutral lists. 





standard forms 




n 


:= a; n '$1) 1 'TTi n 1 '7r2 n 1 'fold(«i, V2,n) 




V 


:= n-b fc 1 s 1 'Xx.v \ '<> 1 vi ', V2 \ '[] | vi ': 


V2 


s 


:= ■map<^wi , n)'+f V2 





The new constructor 'map(_ , _^'+f _ -refered to as "mappend"- 
has the obvious semantics that it represents the concatenation of a 
stuck map and a list. This grammar explicitly defines a hierarchy 
between stuck functions: appends are forbidden to appear inside 
maps and both of them have better not be found sitting in a fold. 
It is but one way to guarantee the existence of standard forms and 
future extensions hopefully allowing the programmer to add the v- 
rules she fancies holding definitionally will have to make sure -for 
completeness' sake- that such standard forms exist. 

4. Formalization of the procedure 

What we are interested in here is to demonstrate the decidability 
of the equational theory's extension rather than explaining how 



to prove termination of a big step semantics in Agda and rely on 
functional induction to prove the different properties. The reader 
keen on learning about the latter should report to James Chapman's 
thesis 1 14] where he describes a principled solution to proving 
termination of big step semantics for various calculi. We, on the 
other hand, will focus on the foiTner: we opted for a version of the 
algorithm based, in the tradition of normalization by evaluation, on 
a model construction which basically collapses the layered stages 
but is trivially terminating by a structural argument. 

Type directed partial evaluation (or normalization by evaluation) 
is a way to compute the canonical forms by using the evaluation 
mechanism of the host language whilst exploiting the available type 
information to retrieve terms from the semantical objects. It was 
introduced by Berger and Schwichtenberg 1 10] in order to have an 
efficient noiTnalization procedure for Lego. It has since been largely 
studied in different settings: 

Danvy's lecture notes |Ta] review its foundations and presents 
its applications as a technique to get rid of static redexes when 
compiling a program. It also discusses various refinements of the 
nave approach such as the introduction of let bindings to preserve a 
call-by-value semantics or the addition of extra reduction rule^ to 
get cleaner code generated. Our :/-rules are somehow reminiscent 
of this approach. 

T. Coquand and Dybjer llql introduced a glued model record- 
ing the partial application of combinators in order to be able to build 
the reification procedure for a combinatorial logic. In this case the 
naive approach is indeed problematic given that the SK structure is 
lost when interpreting the terms in the nave model and is impos- 
sible to get back. This was of great use in the design of a model 
outside the scope of this paper computing only weak-head normal 
forms lU. 

C. Coquand fiy| showed in great details how to implement and 
prove sound and complete an extension of the usual algorithm to 
a simply-typed lambda calculus with explicit substitutions. This 
development guided our correctness proofs. 

More recently Abel et al. |2l[30 built extensions able to deal with 
a variety of type theories and last but not least Ahman |4i| explained 
how to treat calculi equipped with algebraic effects. 



Remark We will call F 



a the typing derivations restricted 



to standard values as per the previous section's definitions and 
r hiK <J the corresponding ones for standard neutrals. Standard 
list will be silently embedded in standard values: the separation of 
s and V is an important vestige of the syntactic category I of stuck 
lists but inlining it in the grammar yields exactly the same set of 
terms. 



" E.g. n + -^ n in a calculus where _ + _ is defined by case analysis on 
the first argument and this expression is therefore stuck. 
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Definition The model is defined by induction on the type using 
an auxiliaiy inductive definition parametric in its arguments - 
which guarantees that the definition is strictly positive therefore 
meaningful- to give a semantical account of lists. One should re- 
member that the calculus enjoys 77-rules for unit, product and ar- 
row types; therefore the semantical counterpart of terms with such 
types need not be more complex than unit, pairs and actual function 
spaces. 

Mir, . : 
M{r, '1 : 
x(r, 'bfc 

mIt, a 'XT ' 
mIt, a'^T ] 
MiT, 'list o-; 



: type„ — > Set 

= T 

= r hue 'b k 

= MiT,a) X M{r,T) 

= VA,rc A^X(A,cr) 

= C{r,a,Mi.,a)) 



.M(A,- 



Standardization may trigger new reductions and we have therefore 
the obligation to somehow store the computational power of the 
functions part of stuck maps. This is a bit tricky because the domain 
type of such functions is nowhere related to the overall type of 
the expression meaning that no induction hypothesis can be used. 
Luckily these new computations are only ever provoked by neutral 
terms: they come from function compositions caused by map or 
map-fold fusions. 

F: Con(type„) a: type„ Via- '■ Con(type„) -^ Set 

£(r,cr,M^): Set 

HD:Ma{r) TL: C{r,a,n„) 

HD ':: TL: C{r,a,Ka) 



/:(r,a,M<, 



F: VA,rc A^ A|-„,er^M,(A) 

as: ri-„e 'list r YS : C(T,a,na) 

'map<7? , xsy+^ YS : £{T,a,na) 

Remark One should notice the Kripke flavour of the interpretation 
of function types. It is exactly what is needed to write down a 
weakening operation thus giving the entire model a Kripke-like 
structure. 

Lemma 4.1 (Reify and reflect). Mutually defined processes allow 
normal forms V h„/ o" to be extracted from elements of the model 
M (r, ct) whilst neutral forms V h i» o can be turned into elements 
of the model. 

Proof Both t^: M{T,a) -^ T h,,/ o and [„: V |-,ie a -* 
A4{T, a) are defined by induction on their type index a. The unit 
case is trivial: the reification process returns ' while the reflection 
one produces the only inhabitant of T. The base type case is solved 
by the embedding of neutrals into normals on one hand and by 
the identity function on the other hand. The product case is simply 
discharged by invoking the induction hypotheses: the reification is 
the pairing of the reifications of the subterms while the reflection 
is the reflection of the r;-expansion of the stuck term. We can now 
focus on the more subtle cases. 

The function case is obtained by r;-expansion both at the term 
level (the normal form will start with a 'A) and the semantical 
level (the object will be a function). It is here that the fact that the 
definitions are mutual is really important. 

\a^^F = '\x.^^F{.,iax) 

ia^rf = AA mc a;. J,^(wk„c(/)'$TcT a:) 

The list case is dealt with by recursion on the semantical list for the 
reification process and a simple injection for the reflection case. We 
write f CT and Jio- for the helper functions performing reification and 



reflection on lists of type 'list a. 

%■[] = '[] 

taHD ':: TL = UHD ':: tfaTi 

lto-'map</ , as/+f YS = 'map('Xx.'\af{x) . xsJ- 



%YS 



This injection corresponds to applying the identity functor and 
monoid law. Indeed XA_.[cr denotes the identity function and has 
the appropriate type VA,r c A ^ A h,,,: o ~> M<j(A) to fit in 
the semantical list mappend constructor. 



licrxs = 'map<AA_.iCT , a;s)'+f '[] 



D 



Example of r;i^-expansions provoked by the reflect / reify func- 
tions: for xs a neutral list of type 'list ('1 'x 'b k), we get an 
expanded version by drowning it in the model and reifying it back: 

f 1 x'bfe(li'i x'bkxs) = 'map('Ap.(tt ', 'n-zp) , a;s>'+f '[] 

This showcases the ry-expansion of unit, products and functions as 
well as the use of the identity laws mentionned during the definition 

ofJia. 

Proving that every term can be normalized now amounts to 
proving the existence of an evaluation function producing a term T 
of the model M{A, a) given a well-typed term t of the language 
r h o" and a semantical environment j\4s{A, F). Indeed the def- 
inition of the reflection function [^ together with the existence of 
environment weakenings give us the necessary machinery to pro- 
duce a diagonal semantical environment Ms{T,T) which could 
then be fed to such an evaluation function. 

In order to keep the development tidy and have a more modular 
proof of correctness, it is wise to give this evaluation function as 
much structure as possible. This is done through a multitude of 
helper functions explaining what the semantical counterparts of 
the usual combinators of the calculus (except for lambda which, 
integrating a weakening to give the model its Kripke structure, is a 
bit special) ought to look like. 

Theorem 4.2 (Evaluation function). Given a term in F h cr and a 
semantical environment in Me{A, F), one can build a semantical 
object in M{A,a). 

Proof. A simple induction on the term to be evaluated using the 
semantical counterparts of the calculus' combinators to assemble 
semantical objects obtained by induction hypotheses discharges 
most of the goals. See the figure page|5]for the details of the code. 
In the lambda case, we have the body of the lambda 6 in F • 
(7 h r, an evaluation environment R in A1t(A,F) and we are 
given a context E, a proof inc that A c E and an object S living 
in M{E,a). By combining 5* and a weakening of R along inc, 
we get an evaluation environment of type Ms{E, F ■ a) which is 
just what we needed to conclude by using the A4{E, r) delivered 
by the induction hypothesis on b. D 

Remark The only place where type infoiTnation is needed is when 
reorganizing neutrals following //-rules e.g. in the semantical fold. 
The evaluation function is therefore faithful to the staged evaluation 
approach. 

The model is indeed related to the algorithm presented earlier on 
in section 13.11 we describe all the computations eagerly for Agda 
to see the termination argument but a subtle evaluation strategy ap- 
plied to the produced code could reclaim the behaviour of the lay- 
ered approach. It would have to form lambda closures in the arrow 
case, fire eagerly only the reductions eliminating constructors in 
Atiap, A4m- and A^old helper functions thus postponing the exe- 
cution of the code corresponding to ry/z-rules to reification time. 
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■D M^ZS = ZS 

HD ':: TL Mi^ ZS ^ HD '■.: (TLM^ZS) 

'map(F , xs)+f YS M^ ZS = 'map<F , xs)-i+ ( YS A4\h ZS) 

Xnap F'[] = '0 

A^ap F [HD '■:: TL) = F{.,HD) ':: Mnap F TL 

Maap F ('map<G , xs>'4+ YS) = -map-.F A^ G , 3;s)+f Xnap F YS 
where F M^ G = AF mc t.F{inc, G{inc, t)) 

Mold C N '[] = N 

Mold C N [HD ■:: TL) = C{.,HD,.,Mold C N TL) 

Moldr C N ('iiiap<,F , xs)Vt- YS) = [t 'f old(c, n, xs) 
where c = 'Aa;. 'A j/.tTC'(., F(_,x)), _, J,t-J/) 
n = trA^old C NYS 



eval {'vpr) 


R 


eval ('Ax.t) 


R 


eval (/'$x) 


R 


eval CO) 


R 


eval (a ', 6) 


R 


eval ('tti i) 


R 


eval ('7r2 t) 


R 


eval CD) 


R 


eval (hd ':: tl) 


R 


eval (xs '4+ j/s) 


R 


eval Cmap(/, xs)) 


R 



eval ('fold(c,n,xs))R = 



R !! pr 

XE inc S. eval t (wfemc(-R)i x i— > 5) 

(eval /_R)(., eval x R) 

tt 

eval a R, eval 6 _R 

TTi (eval t R) 

772 (eval t R) 

'D 

(eval hd R) ':: (eval tZ R) 
(eval xs R) MH- (eval j/s R) 
A^ap(eval / _R)(eval xs R) 
A€old(eval C-R)(cval ni?) (eval xs R) 



Figure 2. Evaluation function and helper functions 



Corollary 4.3. There is a normalization function norm turning 
terms inT h <J into normal forms in T |— „/ o". 

5. Correctness 

The typing information provided by the implementation language 
guarantees that the procedure computes terms in normal forms from 
its inputs and that they have the same type. This is undoubtly a 
good thing to know but does not forbid all the potentially harmful 
behaviours: the empty Ust is a type correct normal form for any 
input of type hst but it certainly is not a satisfactory answer with 
respect to /?(5t?7i^-equality. Hence the need for a soundness and a 
completeness theorem tightening the specification of the procedure. 

The meta-theory is an ad-hoc extension of the techniques al- 
ready well explained by Catarina Coquand 1 15] in her presentation 
of a simply-typed lambda calculus with explicit substitutions (but 
no data). Soundness is achieved through a simple logical relation 
while completeness needs two mutually defined notions explaining 
what it means for elements of Ai to be semantically equal and to 
behave uniformly on extensionally equal terms. 

The reader should think of these logical relations as specifying 
requirements for a characterization (being equal, being uniform) 
to be true of an element at some type. The natural deduction 
style presentation of these recursive functions should then be quite 
natural for her: read in a bottom-top fashion, they express that the 
(dependent) conjunction of the hypotheses -the empty conjunction 
being T- is the requirement for the goal to hold. Hence leading to 
a natural interpretation: 



B 



C 



F{t) = Ax B xC 



Fit) 

5.1 Soundness 

Soundness amounts to re-building the propositional part of the 
reducibility candidate argument [2l|| which has been erased to get 
the barebones model. The logical relation yM(r, a) 3t j_ T relates 
a semantical object T in M{T, a) and a term t inT h <J which is 
morally the source of the semantical object. 

Definition A4{T, a) 3t j T is defined by induction on the type a 
plus an appropriate inductive definition for the list case. The unit 
and base type cases are, as expected, the simplest ones and the 
product case is not very much more exciting: 



x(r,'i)3f i T 



M{r/hk)3ti T 



t-^psLTi^a '■ b 



a: r ho- &: Th 

M{r,a)3ai A 



Mir,a)3b.i B 



M{r,a'x T)3ti A,B 



Function types on the other hand give rise to a Kripke-like structure 
in two ways: in addition to the quantification on all possible future 
context which we need to match the model construction, there is 
also a quantification on all possible source term reducing to the 
current one. 

VA(mc: re A)a;X,A4(A,c7)3a;i X^ 



\lt- 



' dSiTjU 



wk„c/'$a;,X(A,T)3ti F{tnc,X) 



M{r,a'^r)3fiF 

It should be no surprise to the now experienced reader that the in- 
ductive definition of the logical relation for 'list a is parametrized 
by Mo- . ^ ., the interpretation of the relation for elements of type 
a, simply to avoid positivity problems. It is ultimately instantiated 
with the logical relation taken at type a. 



XS: c{r,a,n^) 



xs : 
Ma 



i 



list a 

.: vr,rh 



■M,r 



Set 



C{r,a,n„,na . i .)3xs i xs-. set 

The cases for nil and cons are simply saying that the source term 
indeed reduces to a term with the corresponding head-constructors 
and that the eventual subterms are also related to the subobjects. 



t- 



'^ I3Sl7]U 



■[] 



£{r,a,n„,na .i .)3ti 'D 



"^ f'i 5i7]u 



hd ':: tl 



MahdiHD C{r,a,M^,H^ 



3tl i TL 



C{HD ':: rL,cr,M<,,M„ . i .) 3 a i t 

The map-append case is a bit more complex. The term is expected 
to reduce to a term with the same canonical shape and then we 
expect the semantical function to behave like the one discovered. 

i~^;3«,r,i.'map(/, ss) '++ ys 

\/A{mc: re A) t ^M^ wk,„c(/) 'St i F{inc,t) 

C{T,a,n„,K^ .i .)3ys i YS 



£(r, a, Ma, M„ . i .)3t i 'map<F , xs) 



YS 



The first thing to notice is that whenever two objects are related 
by this logical relation then the property of interest holds true 
i.e. the semantical object indeed is a reduct of the source term. 
This result which mentions the reifying function has to be proven 
together with the corresponding one about the mutually defined 
reflection function. 

Lemma 5.1. Reflect and reify are compatible with this logical 
relation in the sense that: 

1. Iftne is a neutral F h»r cr then Ad{V, a) 3 tne i io-tne. 
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2. Ift and T are such thatM(T, a) 3t i T then t -^aa,.,,,^ UT 

The Kripke-style structure we mentionned during the definition 
of the logical relation adds just what is need to have it closed under 
anti-reductions of the source term: 

Proposition 5.2. For all s and t in T \- a, if then s~^,jf^,j,,t 
then for all T such that AA(r,a) 3 t i T, it is also true that 
M(r,a)3siT 

The proof of soundness then mainly involves showing that 
the semantical counterparts of the language's combinators we 
defined during the model construction are compatible with the 
logical relation. Namely that e.g. if j\4{r,a "^ t) 3 f j F 
and A1(r, 'list a) 3 xs i XS hold then it is also true that: 
A1(r, 'listr) 3 'map(/,2;s)i 'map(F,XS). 

Theorem 5.3. Given a term t: V ^ o, a parallel substitution 
p : A he r and an evaluation environment R such that p and R 
are related (Me{A, T) 3 p ^j R holds), the evaluation oft in R is 
related to t[p]: M (A, a) 3 t[p\ i cval(i, 7?) 

Proof. The theorem is proved by structural induction on the shape 
of the typing derivation of t. The variable case is trivially dis- 
charged by using the proof of TMs (A, F) 3 p ^^ R. 

All the other cases -except for the lambda one- can be solved 
by combining induction hypotheses with the appropriate lemma 
proving that the corresponding semantical combinator respects the 
logical relation. 

In the case where t = 'X x.b, we are given a context E together 
with a proof inc that it is an extension of A, a term u and an object 
U which are related Ai{E,a) 3u i U and, finally, a term s: Eh t 
which reduces to (A x.b) [p] 'S u. First of all, we should notice that 
s -^psii-iv b\_Pj X ^^ u\ and therefore that to prove M {E, t) 3 s i T 
it is enough to prove that A4[E, r) 3 &[p, a: >— > u] ^ T. And we 
get just that by using the induction hypothesis with the related 
parallel substitution p' and evaluation environment R' obtained by 
the combination of the weakening of p (resp. R) along inc with u 
(resp. U). n 

Corollary 5.4. Given a term t, t reduces to its normal form: 
t ■^^is,,riv norrnf. And if two terms t and u have the same normal 
form up-to a-equivalence then they are indeed related: t =flit,,,y u. 

Proof. The identity parallel substitution is related to the diago- 
nal evaluation environment and i[idr] is equal to t hence, by 
the previous theorem, A4{T,a) 3 t i cval{t, idxe r) and then 

D 



i-^/3i„,,ynornit. 



5.2 Completeness 

Completeness can be summed up by the fact that the interpretation 
of j35irjv convertible elements produces semantical objects behav- 
ing similarly. This notion of similar behaviour is formalized as se- 
mantic equality where, in the function case, we expect both sides to 
agree on any uniform input rather than any element of the model. 
As usual the list case is dealt with by using an auxiliary definition 
parametric in its "interesting" arguments. 

Definition Thesemanticequality of two elements T, U of M{T,a) 
is written T =„ U while T £ JV[{T,a) being uniform is written 
Unio- T. They are both mutually defined by induction on the index 
a in the figure page|7] 

Quite unsurprisingly, the unit case is of no interest: all the se- 
mantical units are equivalent and uniform. Semantic equality for 
elements with base types is up-to a-equivalence: inhabitants are 
just bits of data (neutrals) which can be compared in a purely syn- 
tactical fashion because we use nameless terms. They are always 
uniform. 



In the product case, the semantical objects are actual pairs and 
the definition just forces the properties to hold for each one of the 
pair's components. 

The function type case is a bit more hairy. While extensionality 
on uniform arguments is simple to state, uniformity has to enforce 
a lot of invariants: application of uniform objects should yield a 
uniform object, application of extensionally equal uniform objects 
should yield extensionally equal objects and weakening and appli- 
cation should commute (up to extensionality). 

In the list a case, extensional equality is an inductive set 
basically building the (semantical) diagonal relation on lists of 
the same type. It is parametrized by a relation EQ^ on terms of 
type .'Vt(A, g) (for any context A) which is, in the practical case 
instantiated with . =c . as one would expect. Uniformity is, on the 
other hand, defined by recursion on the semantical list. It could very 
well be defined as being parametric in something behaving like 
Unio- . but this is not necessary: there are no positivity problems! 
It is therefore probably better to stick to a lighter presentation here. 
The empty list indeed is uniform. A constructor-headed list is said 
to be uniform if its head of type Ai{T, o) is uniform and its tail 
also is uniform. The criterion for a stuck list is a bit more involved. 
Mimicking the definition of uniformity for functions, there are two 
requirements on the stuck map: applying it to a neutral yields 
a uniform element of the model and application and weakening 
commute. Lastly the second argument of the stuck append should 
be uniform too. 

Remark The careful reader will already have noticed that this 
defines a family of equivalence relations; we will not make explicit 
use of reflexivity, symmetry and transitivity in the paper but it is 
fundamental in the formalization. 

Recall that the completeness theorem was presented as express- 
ing the fact that elements equivalent with respect to the reduction 
relation were interpreted as semantical objects behaving similarly. 
For this approach to make sense, knowing that two semantical ob- 
jects are extensionally equal should immediately imply that their 
respective reifications are syntactically equal. Which is the case. 

Lemma 5.5. Reification, reflection and weakenings are compatible 
with the notions of extensional equality and uniformity. 

1. IfT =a U then taT = ]^U 

2. Iftne is a neutral T hne o then Unio- (io-ine) 

3. Weakening and reification commute for uniform objects 

Now that we know that all the theorem proving ahead of us 
will not be meaningless, we can start actually tackling complete- 
ness. When applying an extensional function, it is always required 
to prove that the argument is uniform. Being able to certify the 
uniformity of the evaluation of a term is therefore of the utmost 
importance. 

Lemma 5.6. Evaluation preserves properties of the evaluation 
environment. 

L Evaluation in uniform environments produces uniform values 

2. Evaluation in semantically equivalent environments produces 
semantically equivalent values 

3. Weakening the evaluation of a term is equivalent to evaluating 
this term in a weakened environment 

Theorem 5.7. If s and t are two terms in V h cr such that 
s ^^fjsir]!/ 1 and if R is a uniform environment in A^£(A, V) then 
eval(s, R) =a eval(i, R). 



Proof. One proceeds by induction on the proof that s reduces to t. 
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T = U A=aC B=rD Uni,, A Uni^ B 

T^-i U Uni-i T T^-^kU Uni-, fc T (yl, B) =, ^ , (C, D) Uni, -^ , {A, B) 

\/A{inc : r c A)(S' : X(A, a)) -^ Uni,, S -^ F{mc, S) =^ G{mc, S) 

F =o- ^ T G 

VA(mc : r c A), Unia S ^ Uni^ F{inc, S) 
VA(jnc : r c A) ^ Uni^ Si -^ Uni^ 52 -^ Si =a S2 -^ F{mc, Si) =r F{mc, S2) 
yinci , inc2 — > Unio- S — > wki„cj F{incs, S) =r F{inc2 ■ inci , wkmcj S) 

Unia ^ -r F 

hd: EQ^{X,Y) tl: XS =,'''* YS Uni, HD Uniu^t <t TL 



'□: '0 =;,"'* '[] Uni.ii3ta 'D hd ■:: tl: X ':: X5 =,''=* F ':: FS Uni-i,,, ^ HD ':: Ti 

Ks: ssj = xss YS: YSi =,'"* YS2 F: 'iA{inc : T c A)(f : A h,,,. t), EQ^{Fi{inc,t),F2{inc,t)) 

'map(_F,Ks) '^ FS: 'map(Fi, ssj ) '+f YSj =1^"'* 'map(_F2, xsg) '-H- YS2 

VA(mc: r c A)(i: A hne r),Uni<T -F(jnc,i) \/inci,inc2,t,w'kinc, F(inc2,t) =„ F{inc2 ■ inci,w'kinct t) Uni-nst <t YS 

Uni-iist o- 'map(F, xs) '+f yS 

Figure 3. Semantic equality and uniformity of objects in tlie model 



Structural rules The case of the structural rule for lambda can 
be discharged quite simply by an induction hypothesis: indeed a 
weakened uniform environment is still uniform and the element 
provided by the extensional equality relation at an arrow type is 
assumed to be uniform. 

The left structural rule for application is trivially discharged by 
combining the induction hypothesis with the lemma guaranteeing 
that evaluation of terms in uniform environments are uniform. The 
right structural one works the other way around: the uniformity of 
the evaluation of the functional part precisely says that application 
of uniform terms which are extensionally equal (induction hypoth- 
esis) yiels semantically equal terms thus proving the goal. 

The structure itself of the call graph of T ^o- f^ on product types 
guarantees that structural rules for pair formers can be discharged 
by a combination of reflexivity and induction hypothesis while 
structural rules for projections are taken care of by projecting the 
appropriate component of the induction hypothesis. 

The structural rules for append, map and fold are dealt with by 
putting together reflexivity proofs and the induction hypothesis us- 
ing the proofs that these semantical operations yield extensionally 
equal terms when fed with such kinds of objects. 

/3t rules Each one the l rules holds by reflexivity of the exten- 
sional equality, indeed evaluation realizes these computation rules 
syntactically. The case of the (5 rule is slightly more complicated. 
Given a function A x.fo and its argument u, one starts by proving 
that the diagonal semantical environment extended with the evalu- 
ation of u in _R is extensionally equal to the evaluation in R of the 
diagonal substitution extended with it. Thence, knowing that the 
evaluations of a term in two extensionally equal environments are 
extensionally equal, one can see that the evaluation of the redex is 
related to the evaluation of the body in an environment correspond- 
ing to the evaluation of the substitution generated when firing the 
redex. Finally, the fact that eval and substitution commute (up-to- 
extensionality) lets us conclude. 

771^ rules definitely are the most complicated ones: except for 
the ones for product and unit types which can be discharged by 
reflexivity of the semantic equality, all of them need at least a little 
bit of theorem proving to go through. The map-id, map-append, 



append-nil and append-assoc rules can be proven using simple 
auxiliary lemmas proved by functional induction. D 

Corollary 5.8 (Completeness). For all terms t and u of type T \- a, 
ift =;3i[,,^ u then nonni = norrnu. 

Proof. Reflection produces uniform values and uniformity is pre- 
served through weakening hence the fact that the trivial diagonal 
environment is uniform. Combined with iterations of the previous 
lemma along the proof that t ^d,s,,,,y u, we get that the respec- 
tive evaluations of t and u are extensionally equal which we have 
proved to be enough to get syntactically equal reifications. D 



Corollary 5.9. 

decidahle. 



The equational theory enriched with v-rides is 



Proof. Given terms t and u of the same type F h cr, we can get two 
normal forms t^f = nonii t and ii„/ = norm u and test them for 
equality up-to a-conversion (which is a simple syntactic check in 
our nameless representation in Agda). 

If t„f = Unf then the soundness result allows us to conclude 
that t and u are convertible terms. 

If t„f =A Unf then t and u are not convertible. Indeed, if they 
were then the completeness result guarantees us that t„/ and u„f 
would be equal which leads to a contradiction. D 

Example of terms which are identified thanks to the internalization 
of the ly-rules. 

1. In a context with two functions / and g of type a '^ 1, 
'A xs. 'map(/, is) and 'Axs. 'map((7,a;s) both normalize to 
'A xs. 'map('A_. '(),a;s) '+\- '[] and are therefore declared 
equal. 

2. At type T \- 'list ('b k 'x 'b I) '^ 'list ('b k 'x 'b /), the 
terms 'A xs.xs and 'A xs. 'map(su'op, 'map(sw;ap, xs)) where 
swap is the function 'Ap.('7r2P ', 'vri p) swapping the or- 
der of a pair's elements are convertible with normal form 
'Axs. 'map('Ap.('7rip ', '7r2p),a;s) '+f '[]. 
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6. Further Opportunities for i/-Rules 

We were motivated to develop a proof technique for extending defi- 
nitional equality with i^-rules because there are many opportunities 
where we might profit by doing so. Let us set out a prospectus. 

Reflexive coercion for type-based equality. Altenkirch, McBride 
and W. Swierstra developed a propositional equality for intensional 
type theory [7] which differs from the usual inductive definition 
(ref 1 a : a = a) in that its main eliminator 

5, T : Set Q:S = T s : S 



s[Q:S = T):T 

computes by structural recursion first on the types S and T, and 
then (where appropriate) on s, rather than by pattern matching on 
the proof Q. Equality is still reflexive, so evaluation can leave us 
with terms n[ref 1 n : N = N} : N where n is a neutral term 
in a neutral type A'^. It is clearly a nuisance that this term does not 
compute to n, as would happen if the eliminator matched on the 
proof. The fix is to add a i^-rule which discards coercions whenever 
it is type-safe to do so: 



s|[Q : 5" = r> = I if 5" = T : Set 



It is easy to check that adding this rule for neutral terms makes 
it admissible for all terms, and hence that we need add it not 
to evaluation, but only to the reification process which follows, 
just as with the i/-rules in this paper. There, as here, this spares 
the evaluation process from decisions which involve 77-expansion 
and thus require a name supply. The v-nile thus gives us a non- 
disruptive means to respect the full computational behaviour of 
inductive equality in the observational setting. 

Functor laws. Barral and Soloviev give a treatment of functor 
laws for parametrized inductive datatypes by modifying the t-rules 
of their underlying type theory |9]. We should very much hope to 
achieve the same result, as we did here in the special case of lists, 
just by adding !/-rules. Our preliminary experiments [27] suggest 
that we can implement functor laws once and for all in a type 
theory whose datatypes are given once and for all by a syntactic 
encoding of strictly positive functors, as Dagand and colleagues 
propose lfl7ll28ll . Moreover, Luo and Adams have shown |26] that 
structural subtyping for inductive types can be reified by a coherent 
system of implicit coercions if functor laws hold definitionally. 

Monad laws. Watkins et al. give a definitional treatment of 
monad laws in order to achieve an adequate representation of con- 
current processes encapsulated monadically in a logical frame- 
work 1 32]. For straightforward free monads, an experimental ex- 
tension of Epigram (by Norell, as it happens) ll27ll suggests that we 
may readily allow !/-rules: 



I 



return 



(| >::- a) »= p 



I 



((: 



■P) 



Atkey's Foveran system uses a similar normalization method for 
free monad laws |8], again for an encoded universe of underlying 
functors. 

Decomposing functors. Dagand and colleagues further note that 
their syntax of descriptions for indexed functors is, by virtue of 
being a syntax, itself presentable as the free monad of a functor. 
The description decoder 



Decode : IDesc I ^ {I —>■ Set) 



Set 



is structurally recursive in the description and lifts pointwise to an 
interpretation of substitutions in the IDesc monad 



|_1 : (O -^ IDesc I) -^ (J 
|cr] X o = Decode {a o) X 



Set) 



(O 



Set) 



as indexed functors with a 'map' operation satisfying functor laws. 
However, not only does this interpretation deliver functors, it is 
itself a contravariant functor: the identity substitution yields the 
identity functor just by fiSi, but we may also interpret Kleisli 
composition as reverse functor composition 

[(>:- a) ■ pl = IpI ■ [a] 

by means of a i/-rule 



Decode {\D\ >:= cr) X = Decode \D\ (|a| X) 



taking each D to be some p o. If we want to do a 'scrap your boil- 
erplate' style traversal of some described container-like structure, 
we need merely exhibit the decomposition of the description as 
some (:s>= a) ■ p, where p describes the invariant superstructures 
and a the modified substructures, then invoke the functoriality of 
|[p|. This !/-rule thus lets us expose functoriality over substructures 
not anticipated by explicit parametrization in datatype declarations. 
We thus recover the kind of ad hoc data traversal popularized by 
Lammel and Peyton Jones [25] by static structural means. 

Universe embeddings. A type theory with inductive-recursive 
definitions is powerful enough to encode universes of dependent 
types by giving a datatype of codes in tandem with their interpreta- 
tions [20], the paradigmatic example being 



Ui : 
'Pii 



Set 

■■{s 



Ui)- 
Ell S 



•Ui) 



Ell : Ui -^ Set 
Eli('PiiSr) = 
(s :EliS) ^Eli {T s) 



Palmgren [|30] suggests that one way to model a cumulative hierar- 
chy of such universes is to give each a code in the next, so 



U2 : Set 
'Ui : U2 

'Pi2 : {S : U2) -^ 
(EI2 S 



■ U2) -^ U2 



EI2 : U2 -^ Set 
EI2 'Ui = Ui 

Ei2('Pi2S'r) = 

(siElaS) ^El2(rs) 



and then define an embedding recursively 

'Pi2(t5)(As. \{Ts)) 



]■■ Ui -^ U2 

r ('PiiSr) 



but a small frustration with this proposal is that s is abstracted at 
type EI2 (t S)), but used at type Eli S, and these two types are not 
definitionally equal for an abstract S. One workaround is to make f 
a constructor of U2, at the cost of some redunancy of representation, 
but now we might also consider fixing the discrepancy with a i^-rule 



EI2 



(t^)) = El 



This is peculiar for our examples thus far, in that the i^-rule is 
needed even to typecheck the 5t-rules for t, reflecting the fact that 
] should not be any old function from Ui to U2, but rather one 
which preserves the meanings given by Eli and EI2. In effect, the 
!/-rule is expressing the coherence property of a richer notion of 
morphism. It is inviting to wonder what other notions of coherence 
we might enable and enforce by checking that z^-rules hold of the 
operations we implement. 

Non-examples. A key characteristic of a i^-rule is that it is a nut- 
preserving rearrangement of neutral term layers. Whilst this is good 
for associativity and sometimes for distributivity, it is perfectly use- 
less for commutativity. Suppose + for natural numbers is recursive 
on its first argument, and observe that rewriting x + y \a y + x 
when X is neutral will not result in a neutral term unless y is also 
neutral. Less ambitious rules such as x + sue y = sue [x + y) 
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and a; * = similarly make neutral terms come unstuck, and so 
cannot be postponed until reification if we want to be sure that eval- 
uation suffices to show whether any expression in a datatype can be 
put into constructor-headed form. Walukiewicz-Chrzaszcz has pro- 
posed a more invasive adoption of rewriting for Coq, necessitating 
a modified evaluator, but incorporating rules which can expose con- 
structors 13 1]. Her untyped rewriting approach sits awkwardly with 
77-laws, but we can find a more carefully structured compromise. 

7. Discussion 

We fully expect to scale this technology up to type theory. Abel and 
Dybjer (with Aehlig |2] and T. Coquand |3]) have already given 
normalization by evaluation algorithms which we plan to adapt. 

Finding good criteria for checking that candidate !/-rules can 
safely be added is of the utmost importance. We want to let the 
programmer negotiate the new z^-rules she wants, as long as the 
machine can check that they yield a notion of standard foiTn and 
lift from neutral terms to all terms by the prior equational theory. 

It is also interesting to try to integrate !/-rules with more prac- 
tical presentations of normalization. For instance Gregoire and 
Leroy's conversion by compilation to a bytecode machine derived 
from Ocaml's ZAM |22] decides ry by expansion only when pro- 
voked by a A: such laziness is desirable when possible but causes 
trouble with 77-rules for unit types and may conceal the potential to 
apply i/-rules. Hereditary substitution |32], formalized by Abel lUl] 
and by Keller and Altenkirch L24.1 . may be easier to adapt. 
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